Action Item Review

Staff Updates

Leadership Council (LC) Updates

Ken reports that the Trust Framework Metamodel and Business Case for Trust Frameworks groups are being shut down before long.

Kantara is receiving attention for approval of UMA and the Principles of Identity Relationships - being promoted at upcoming events

SecureKey has joined the Kantara board of trustees

ARB updates

No specific updates.

Discussion

Returning to the topic of NIST 800-63, Electronic Authentication Guidance. NIST is contemplating how to proceed with revision to that document. As IAWG we are trying to prepare to gather thoughts and be coherent when the call comes.

Andrew has an outstanding task to contact Paul Grassi from NIST regarding thoughts from tthe IAWG on how to gather comments from industry. Group consensus seems to be that an RFI is the way to proceed, a reasonable mechanism for NIST to use to gather information. Possibly with follow up workshops as well.

Andrew hoped that we could tackle a high level discussion of the areas that need work in 800-63

Cathy Tilton provides Example - Daon's comments on biometrics as an additional authentication factor instead of an unlock mechanism for authentication token. Also said there's a need to handle mobile devices better.

Bob Pinhiero asks about liveness tests. Cathy responds that this is part of why it would be an added authentication factor instead. Bob brings up the yubico example of a crypto token that's stored and unlocked with biometrics (which is already permitted). Cathy points out that LOA2 allows proof of possession of the device, and LOA3 adds additional factor. Daon product has some liveness detection, but NIST states that it varies by biometric modality and they have no standard for determining the effectiveness of a liveness measure. They also do not have accuracy requirements for the basic biometrics either.

Ken Dagg states the concern that we don't know if NIST is looking for things that should be included or potential solutions to things that can be included.

Andrew captured a number of items on a mind map which the team reviewed via join.me